Device and method for processing a sequence of information packets

ABSTRACT

The packets of the sequence are stowed away in a packets memory organized as a stack, in association with respective processing labels. The processing label associated with each packet extracted from the packets memory is examined so as to activate a processing module selected as a function of the label received. The activated module performs an elementary processing of the packet extracted. The elementary processing performed by at least one of the processing modules comprises associating the extracted packet with a label modified in accordance with a labels translation table, the processed packet subsequently being stowed away again in the packets memory in association with the modified label.

The present invention relates to packet based transmission networks. Itapplies in particular, but not exclusively, to networks operatingaccording to the Internet protocol (IP).

The invention can be implemented at the level of the outside interfacesof routers of the network, so as to perform analyses and processing ofthe data streams travelling through these interfaces.

Here, the expression “police” functions designates various processing orcontrol operations performed at the level of such an interface on datastreams which pass through it. By way of nonlimiting examples, mentionmay be made of the counting of the packets exchanged between a givensource address and a given destination address, the allocating ofpriorities to certain packets, address translations, the selectivedestruction of certain packets, etc.

These police functions may be included within a contractual frameworkbetween a subscriber and a manager of the network. Such may for examplebe the case with functions relating to flow control, to authorizationfor access to certain sites linked to the network, to the implementingof reservation protocols such as RSVP, etc. They may also be includedwithin the framework of the internal organization of a public or privatenetwork, for example to control certain accesses.

Current routers offer a set of configuration commands making it possibleto apply such police functions. Thus, a filter relating to certainfields of the header of the packets is defined so as to identify thestream or streams concerned, the filter being associated with aparticular function operated on the corresponding packets. Thesefilters, or “access list”, exhibit certain inflexibilities. Thus, it isnot possible to string two filters together, one specifying a sort onthe packets selected by the first. These filters are constructed on asequential model: the first filter which is suitable for a given packetis adopted with the exclusion of the following filters which might alsobe suitable. It is therefore impossible to apply several rules andassociated processing operations to one and the same stream (for exampleto count all the packets transmitted according to the TCP protocol on aport x and to count all the TCP streams heading for a given server,including those traveling toward the port x).

To sidestep certain of these limitations, commands performing severaljoint actions have been defined. These solutions afford only relativeflexibility and appreciably complicate the language for configuring therouters. A homogeneous framework for managing the future extensions ofthe police functions to be undertaken is also lacking.

An aim of the present invention is to propose a mode of processingsequences of information packets which offers high flexibility ofconfiguration without significantly increasing the complexity of theconfiguration interface.

The invention thus proposes a device for processing a sequence ofinformation packets, comprising a packets memory, organized as a stack,in which the packets of the sequence are stowed away in association withrespective processing labels, an assembly of processing modules, andsupervisory means receiving the processing label associated with eachpacket extracted from the packets memory and activating one of theprocessing modules selected as a function of the label received, theactivated module undertaking an elementary processing of the extractedpacket. The elementary processing undertaken by at least one of theprocessing modules comprises the associating of the extracted packetwith a label modified in accordance with a labels translation table, theprocessed packet subsequently being stowed away again in the packetsmemory in association with the modified label

The device makes it possible to string together police functionsaccording to an arbitrary graph of elementary processing operationsacting on data streams identified by the processing labels. This affordsa flexible framework for managing the configuration of the interface andany protocol extensions.

The performance of the device is independent of the number of strings ofelementary processing operations which may be performed on the streamstraveling through the interface, and proportional to the more complex ofthese strings. On the other hand, the technique used consumes morememory than a conventional sequential implementation.

Another aspect of the present invention concerns a method of processinga sequence of information packets, in which the packets of the sequenceare stowed away in a packets memory organized as a stack, in associationwith respective processing labels, the processing label associated witheach packet extracted from the packets memory is examined so as toactivate a processing module selected as a function of the labelreceived from among an assembly of processing modules, the activatedmodule undertaking an elementary processing of the packet extracted. Theelementary processing undertaken by at least one of the processingmodules comprises the associating of the extracted packet with a labelmodified in accordance with a labels translation table, the processedpacket subsequently being stowed away again in the packets memory inassociation with the modified label.

BRIEF DESCRIPTION OF THE DRAWINGS

Other features and advantages of the present invention will becomeapparent in the following description of nonlimiting exemplaryembodiments, with reference to the appended drawings, in which:

FIG. 1 is a diagram of a network where the invention may be implemented;

FIG. 2 is a schematic diagram of an access router of a privateinstallation of this network;

FIG. 3 is a schematic diagram of a stream processing device forming partof an interface of the router of FIG. 2; and

FIG. 4 is a graph of elementary processing operations undertaken by thedevice of FIG. 3.

DESCRIPTION OF PREFERRED EMBODIMENTS

FIG. 1 shows a wide area shared network (WAN) comprising a certainnumber of interconnected routers and switches 11, 12. The case where theshared network 10 operates according to the IP protocol is consideredhere. A certain number of the routers are concentrating routers 12 towhich private installations 13 are linked.

A private subscriber installation 13 is typically linked to the sharednetwork 10 by means of an access router 15, one of whose interfaces 16is linked to a line 17 for transmission from and to the concentratingrouter 12. The access router 15 can be linked to other routers of theprivate installation 13 or to servers or terminals 18 of thisinstallation, by means of other interfaces, which are not represented inFIG. 1.

FIG. 2 shows an exemplary architecture of the access router 15. Theoutside interface 16, and also the interfaces 20, 21 with the remainderof the private installation 13, are linked to the core of the routerconsisting of a packet forwarding engine 22. The forwarding engine 22forwards the packets from one interface to another on the basis of theaddress fields and port fields contained in the headers of the packetsin accordance with the IP protocol and with any extensions thereof (TCP,UDP, etc.), by referring to routing tables.

Certain of the interfaces of the access router 15 are provided, in justone or in both directions of transmission, with processing devices, orstream processors, 24, 25 undertaking police functions. In theillustrative example of FIG. 2, the device 24 is fitted to the outsideinterface 16 in the outgoing direction, and the device 25 is fitted toanother interface 20 in the incoming direction.

The access router is supervised by a management unit 26 which canconsist of a microcomputer or a work station which executes routingsoftware serving in particular to configure the routing table of theforwarding engine 22 and the stream processors 24, 25 and to exchangecontrol or protocol information with them. These commands and exchangesare effected by way of an appropriate software programming interface(API).

Most of the existing packet routing and forwarding software is readilyavailable in the Unix environment, but its performance is customarilylimited on account of the frequent interruptions of the operatingsystem. It is much faster to use a real time operating system such asVxWorks, but this complicates the implementation of the routingsoftware.

The role of the stream processors 24, 25 is to assist the non-real timeoperating system (such as Unix), on the basis of which the managementunit 26 functions, in the complex tasks for manipulating the streamswhich require real time performance (forwarding, filtering, enciphering,etc.). These processors implement a certain number of tools formanipulating the streams which may be linked dynamically according toany combination so as to perform the task required. This configurationcan be achieved through the Unix operating system by calling the APIfunctions, thereby greatly facilitating the setting up of newfunctionalities by the programmer.

As illustrated diagrammatically by FIG. 1, one of the tasks performed bythe stream processor 24 of the outside interface 16 of the access router15 consists in transmitting each packet to the concentrating router 12while appending a digital signature (block 40) thereto. This signatureattests that the packets in question have been subjected to the otherstream control operations (block 39) performed by the processor 24.

The corresponding interface 28 of the concentrating router 12 comprisesa module for analyzing the packets received on the line 17 so as to makesure that the signature is present.

This signature technique advantageously makes it possible todecentralize the stream control operations necessary for the contractualrelations between the manager of the concentrating router 12, whichprovides the service of attachment to the shared network 10, and thesubscribers whose installations 13 are linked to this concentratingrouter 12. In the conventional embodiments, these stream controloperations are performed at the level of the concentrating router. Thisresults in considerable complexity of the concentrating router when itis attached to a fairly large number of private installations, and alack of flexibility for the subscribers when modifications are required.

By performing these stream control operations at the level of the accessrouters 15, great flexibility is afforded in this regard. The signing ofthe packets then guarantees to the service provider that the line 17does not send him valid packets which depart from the contractualframework with the subscriber. If such a packet were to appear, theinterface 28 of the concentrating router 12 would simply eliminate itafter having noted the absence of the appropriate signature.

Various conventional processes may be used to construct and analyze thesignature of the packets, on the basis of a secret shared between therouters 12 and 15. The signature can in particular have the form of acode word added to the content of the packet, and calculated on thebasis of all or part of this content and of a secret key, thecalculation being performed with the aid of a function which isextremely difficult to invert in order to recover the secret key. It isthus possible to use a technique of hashing the content of the packet,or of just a part of this content, for example an MD5 hashing (see R.Rivest, RFC 1231, “The MD5 Message Digest Algorithm”).

It is also possible to use an enciphering process to form the signatureof the packets. The content of the packet is then enciphered with theaid of a private key, the interface 28 of the concentrating routerundertaking the corresponding deciphering with the aid of a public orprivate key. The unenciphered packets, or those enciphered by means of awrong key are then destroyed at the level of the interface 28.

As an option, provision may be made for the interface 28 of theconcentrating router to also sign the packets which it transmits on theline 17, and for the interface 16 of the access router to verify thissignature so as to make sure that the packets received are valid.

FIG. 3 shows the organization of a stream processor 24 or 25 of aninterface of the access router 15.

The stream processor receives a sequence of incoming packets 30 eachcomprising a header 31 in accordance with the IP protocol, and deliversa sequence of outgoing packets 32 having a header 33 after havingperformed certain elementary processing operations whose nature dependson the data streams concerned.

The incoming packets 30 are stowed away in a packets memory 35 organizedas a first in-first out (FIFO) stack. Each packet is fed to the memory35 with a processing label 36. The processing label initially has aspecified value (0 in the example represented) for the incoming packets30.

The stream processor is supervised by a unit 37 which cooperates with atable 38 making it possible to associate a particular processing modulewith each value of the processing label. In the simplified examplerepresented in FIG. 3, the stream processor comprises an assembly offive processing modules M1-M5 effecting elementary processing operationsof different kind.

After the execution of an elementary processing operation, thesupervisory unit 37 consults the packets memory 35. If the latter is notempty, a packet is extracted therefrom according to the FIFOorganization. The supervisory unit 37 consults the table 38 to determinewhich processing module corresponds to the label of this packet. Theunit 37 then activates the module in question so that it performs thecorresponding elementary processing operation. In certain cases, thiselementary processing operation may entail a modification of the contentof the packet, in particular its header.

It will be understood that the “extraction” of the packet, to whichreference is made, is an extraction in the logical sense from the FIFOmemory. The packet is not necessarily removed from the memory. Theaddresses of the packets in the memory 35 can be managed in aconventional manner by means of pointers so as to comply with the FIFOorganization. The activated processing module can be furnished simplywith the address of the current packet so as to perform the requiredreads, analyses, modifications or deletions as appropriate.

The first processing module M1, associated with the initial label 0, isa filtering module which analyzes the address field and/or protocoldefinition field and/or port field of the IP header of the packets. Withthe help of an association table T1, the filtering module M1 delivers asecond processing label which identifies a string of elementaryprocessing operations which will subsequently have to be performed onthe packet. After having determined the second processing label for thepacket extracted from the memory 35, the filtering module M1 stows awaythe packet in the memory 35 again, with the second processing label. Thenext elementary processing operation will then be executed when thepacket is again extracted from the memory.

The module M2 is a module for counting the packets relating to certainstreams. In the case of the association table 38 represented in FIG. 3,this module M2 is called for the processing labels 2 and 4. When itprocesses a packet, the module M2 increments a counter with the numberof bytes of the packet, or else with the value 1 in the case of apackets counter. The counter can be made secure, in particular if itserves for the billing of the subscriber by the manager of the network10. In the case of a secure counter, requests are regularly made to theaccess provider to obtain transmission credits, the relevant packetsbeing destroyed if the credit is used up.

The module M3 of FIG. 3 is a priorities management module. In the caseof the association table 38 represented in FIG. 3, this module M3 iscalled for the processing label 3. The module M3 operates on the TOS(“Type of Service”) field of the IP header of the packets. The TOS isused in the network to manage forwarding priorities so as to provide acertain quality of service on certain links. The TOS field can bechanged according to prerecorded tables. These tables can be definedunder the control of the access provider so as to prevent packets beinginappropriately transmitted with a high priority, which might disturbthe network.

The elementary processing operation performed last on a packet of thememory 35 is either its destruction (module M4 activated by the label8), or its resubmission to the output of the stream processor (module M5activated by the label 5 or 9). The module M4 can be used to destroypackets having a certain destination and/or a certain origin.

The modules M2 and M3, which do not terminate the processing operationsto be undertaken in respect of a packet (except in the case ofdestruction), each operate with a label translation table T2, T3. Thistranslation table designates, for the processing label extracted fromthe memory 35 with the current packet, another processing labeldesignating the next elementary processing operation to be undertaken.The elementary processing operation undertaken by this module M2 or M3terminates with the associating of the packet with this other processinglabel and the reinjecting of the packet thus processed into the memory35.

In this way, highly varied combinations of processing operations can beperformed on the various data streams passing through the processor.

FIG. 4 shows a simplified example corresponding to the tables 38, T1-T3represented in FIG. 3. The incoming packet 30, associated with the firstlabel 0, is firstly subjected to the filtering effected by the moduleM1.

In the particular case considered, the stream processor 24 counts thepackets transmitted from a source address AS1 to a destination addressAD1 and a port P1, and modifies the TOS field of these packets beforedelivering them on the line 17, this corresponding to the upper branchof the graph of FIG. 4. Moreover, the stream processor 24 counts thepackets emanating from a source address AS2 heading for a port P2 beforedestroying them, this corresponding to the lower branch of FIG. 4. Theother packets are simply delivered to the line 17. The default value (9)of the processing label returned by the module M1 therefore simplydesignates the output module M5. If the module M1 detects in the packetextracted from the memory 35 the combination AS1, AD1, P1 in therelevant address and port fields, it returns the packet with theprocessing label 2. If the values AS2, P2 are detected in the addressand port fields, it is the label 4 which is returned with the packet.

These labels 2 and 4 both correspond to the counting module M2. Thelabel will also designate for this module the memory address of thecounter which has to be incremented. The table T2 with which the moduleM2 operates will make it possible at the end of processing to performthe return to the next module to be activated (M3 designated by thelabel 3 for the packets whose TOS has to be changed, M4 designated bythe label 8 for the packets to be destroyed).

The module M3 receives packets with the processing label 3, and returns.them with the label 9 after having made the required modification of theTOS field.

From this simplified example it can be seen that the stream processormakes it possible, through the identification of a stream by thefiltering module M1, to perform various combinations of elementaryprocessing operations in a relatively simple and fast manner.

A main advantage of this way of proceeding is the flexibility of theoperations for configuring the stream processor. The tables 38, T1-T3which define any graph of elementary processing operations, such as theone represented in FIG. 4, can be constructed relatively simply and witha small real time constraint by means of the management unit 36 throughthe API. The same holds in respect of the information enabling themodules M1-M5 to perform their elementary processing operations(description of the counts to be performed by the module M2, way ofchanging the TOS fields by the module M3, etc.).

In practice, the stream processor may comprise various processingmodules other than those represented by way of example in FIGS. 3 and 4,according to the requirements of each particular installation (forexample, module for managing the output queues, address translationmodule, etc.).

The function of signing the packets transmitted, which was describedearlier, can form part of the elementary processing undertaken by theoutput module M5. In a typical embodiment of the access router, thestream processor 24 will be included in an application specificintegrated circuit (ASIC) organized around a microcontroller core. Thisembodiment allows there to be no physical access between the streamcontrol modules 39 (at least those which pertain to the relationsbetween the subscriber and the manager of the network 10) and the moduleM5 which is responsible for signing the packets, corresponding to theblock 40 of FIG. 1. This improves the security of the link from theviewpoint of the manager of the network.

1. A device for processing a sequence of information packets,comprising: a packets memory organized as a stack, means for stowingaway the packets of the sequence in association with respectiveprocessing labels, a plurality of processing modules, at least onelabels translation table, means for extracting packets from the packetsmemory, and supervisory means for receiving the processing labelassociated with each packet extracted from the packets memory andactivating one of the processing modules selected as a function of thelabel received, the activated module being arranged to perform anelementary processing of the extracted packet, whereby the elementaryprocessing performed by at least one of the processing modules comprisesassociating the extracted packet with a label modified in accordancewith a labels translation table, the processed packet subsequently beingstowed away again in the packets memory in association with the modifiedlabel.
 2. A device according to claim 1, wherein a first processinglabel is associated initially with each packet of the sequence, whereinthe supervisory means are arranged to activate a filtering moduleforming part of the plurality of processing modules in response to thereceipt of the first processing label, and wherein the elementaryprocessing performed by the filtering module comprises analyzing aheader of the packet extracted and associating the packet with a secondprocessing label dependent on a result of the analysis.
 3. A deviceaccording to claim 1, wherein the plurality of processing modulescomprises an output module for transmitting the extracted packet to anoutput of the device, with a signature based on a secret shared with aconcentrating router of a telecommunication network, authenticating thatthe packet has been subjected to the processing operations performed bythe device.
 4. A method of processing a sequence of information packets,comprising the steps of: stowing away the packets of the sequence in apackets memory organized as a stack, in association with respectiveprocessing labels, and examining the processing label associated with apacket extracted from the packets memory so as to activate a processingmodule selected as a function of the label received from among anassembly a plurality of processing modules, whereby the activated moduleperforms an elementary processing of the packet extracted, wherein theelementary processing performed by at least one of the processingmodules comprises associating the extracted packet with a label modifiedin accordance with a labels translation table, the processed packetsubsequently being stowed away again in the packets memory inassociation with the modified label.
 5. A method according to claim 4,wherein, after having been subjected to various elementary processingoperations, each packet is delivered with a signature based on a secretshared with a concentrating router of a telecommunication network,authenticating that the packet has been subjected to said elementaryprocessing operations.
 6. A device for processing a sequence ofinformation packets, comprising: a packets memory organized as a stack,means for stowing away the packets of the sequence in association withrespective processing labels, a plurality of processing modules, atleast one labels translation table, means for extracting packets fromthe packets memory, and supervisory means for receiving the processinglabel associated with each packet extracted from the packets memory andactivating one of the processing modules selected as a function of thelabel received, the activated module being arranged to perform anelementary processing of the extracted packet, wherein the elementaryprocessing performed by at least one of the processing modules comprisesassociating the extracted packet with a label modified in accordancewith a labels translation table, the processed packet subsequently beingstowed away again in the packets memory in association with the modifiedlabel, wherein a first processing label is associated initially witheach packet of the sequence, wherein the supervisory means are arrangedto activate a filtering module forming part of the plurality ofprocessing modules in response to the receipt of the first processinglabel, and wherein the elementary processing performed by the filteringmodule comprises analyzing a header of the packet extracted andassociating the packet with a second processing label dependent on aresult of the analysis.
 7. A device according to claim 6, wherein theplurality of processing modules comprises an output module fortransmitting the extracted packet to an output of the device, with asignature based on a secret shared with a concentrating router of atelecommunication network, authenticating that the packet has beensubjected to the processing operations performed by the device.
 8. Amethod of processing a sequence of information packets, comprising thesteps of: stowing away the packets of the sequence in a packets memoryorganized as a stack, in association with respective processing labels,and examining the processing label associated with a packet extractedfrom the packets memory so as to activate a processing module selectedas a function of the label received from among an assembly a pluralityof processing modules, whereby the activated module performs anelementary processing of the packet extracted, wherein the elementaryprocessing performed by at least one of the processing modules comprisesassociating the extracted packet with a label modified in accordancewith a labels translation table, the processed packet subsequently beingstowed away again in the packets memory in association with the modifiedlabel, and wherein, after having been subjected to various elementaryprocessing operations, each packet is delivered with a signature basedon a secret shared with a concentrating router of a telecommunicationnetwork, authenticating that the packet has been subjected to saidelementary processing operations.